Re: Securing an Ad Hoc Network
- From: Lem <lemp40@xxxxxxxxxxx>
- Date: Fri, 03 Nov 2006 11:38:02 -0500
Steve Winograd [MVP] wrote:
In article <ego1x3s$GHA.996@xxxxxxxxxxxxxxxxxxxx>, Lem
<lemp40@xxxxxxxxxxx> wrote:
Steve Winograd [MVP] wrote:In article <883A360F-D0D9-4A1F-893C-70F80F1BCF3C@xxxxxxxxxxxxx>, AmyMI could be wrong, but as far as I am aware,
<AmyM@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I am using XP Pro on 2 notebooks. I have just set them up on a peer-to-peer connection with each other. The data encryption is set to WEP, however from what I am reading this is a vulnerable method. These notebooks will be used in meeting environments where corporate espionage is a concern. Is there any way for me to enhance the security of these two units and still remain wireless? Perhaps make the network itself invisible? Thank you in advance.Windows XP Service Pack 2 supports the more secure WPA and WPA2 data
encryption standards. If the wireless network adapters in the
notebooks support WPA or WPA2, use it. If they don't, consider
replacing them.
Neither WPA-PSK nor WPA2-PSK, regardless of the encryption algorithm being TKIP or AES, is supported in XP in ad hoc mode.
In Vista, WPA2-PSK with AES is supported in ad hoc mode. WPA2-PSK with TKIP and WPA-PSK with either TKIP or AES are not supported.
IN XP sp1 there was an option for "WPA-None", but from what I understand, that (a) wasn't much, if any, more secure than WEP, and (b) is no longer available in sp2.
If I am wrong, I'd appreciate a link to some official documentation that shows WPA-PSK supported in ad hoc mode. I don't have a wireless computer here, so I can't test it empirically.
Hi, Lem, and thanks for your though-provoking reply.
You're right that a Windows XP ad-hoc wireless connection can't use a
pre-shared key (WPA-PSK or WPA2-PSK).
WPA-None is still supported in SP2 for an ad-hoc wireless connection.
You can open the wireless connection properties and specify it as the
value for Network Authentication.
However, on reflection, it might not be a good choice for Amy,
because:
1. I don't know what wireless network adapters actually support
WPA-None in the hardware and drivers. I'd recommend using identical
make/model adapters in both computers. Even then, it could be iffy.
2. I've seen reports that installing WPA2 support removes WPA-None.
3. I don't know if it's more secure than WEP.
I haven't found any good documentation of this from Microsoft. It's
mentioned in this article:
The Cable Guy - July 2003
Configuring Wireless Settings Using Windows Server 2003 Group Policy
http://www.microsoft.com/technet/community/columns/cableguy/cg0703.mspx
It's described in this Cisco web page:
http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo_350/350cards/windows/incfg9/win6_ape.htm
Thanks for the feedback, Steve. I typed too fast: As you said, I had seen comments to the effect that WPA-None was disabled with the WPA2 update, not the service pack 2 update.
As near as I can tell, without more study than I have time for at the moment, securing ad hoc wireless networks is not a high priority task for the Wi-Fi Alliance, IEEE, or other interested parties. In fact, most of the discussion of ad hoc networks I have seen from corporate security types is directed toward stamping out ad hoc networks as a potential security hole.
One of the major reasons for the increased security of WPA compared to WEP is the use of TKIP, Temporal Key Integrity Protocol. This protocol changes the encryption key on a per-packet basis, thus making it considerably tougher for a cracker to gather enough data to crack the encryption. In WPA-Enterprise, the initial key is supplied by a special key server (e.g., RADIUS) and is different for each session, while in WPA-PSK, the initial key is fixed until manually changed.
In WPA-PSK (TKIP) the basic encryption scheme used is the same as that used in WEP. Some implementations of WPA-PSK allow the use of AES (Advanced Encryption Standard), and thus become sort of a hybrid between WPA and WPA2.
According to the doc linked below, in WPA "a simple IBSS [ad hoc] approach is described [that] uses no authenticated key management protocol but uses a pre-shared key directly as the encryption/integrity key (Note: IBSS is much reduced in security since it has no key management.)"
And later in the same doc, "The following paragraph describes a simple approach to IBSS. IBSS is not supported in Wi-Fi Protected Access and this paragraph is provided for information only. The system is meant for a very simple IBSS usage. A pre-shared key is configured as a Group key and no authentication is carried out (even though IEEE 802.11 authentication frames are exchanged)."
A shorter version of the paper suggests that in WPA2, AES will be used even in ad hoc networks, although I did not see any indication that there will be any key management system (packet-wise change of keys) used in WPA2 ad hoc networks.
The bottom line is that an ad-hoc wireless network probably is not a good idea in "meeting environments where corporate espionage is a concern." If it is used, the "passphrase" should be strong (see, e.g., Diceware http://world.std.com/~reinhold/diceware.html) and it should be changed frequently. That is, if you're going to have an hour-long meeting, the odds are that the encryption won't be broken, but if you're having a two-day conference, I wouldn't count on it.
For small meetings, one could simply set up an inexpensive hub with cat5e jacks at each seat around the conference table. If there are too many attendees to use cabled connections, set up a dedicated infrastructure mode wireless network. It's not that expensive, certainly when compared to corporate trade secret information.
Wi-Fi Protected Access (Wi-Fi Alliance 4/29/03)
http://www.wi-fi.org/files/uploaded_files/wp_8_WPA%20Security_4-29-03.pdf
Portions of IEEE 802.11 Draft 3.0 for implementing WPA
http://www.qacafe.com/WPAfor802.11ver2_042903.pdf
--
Lem MS MVP -- Networking
To the moon and back with 64 Kbits of RAM and 512 Kbits of ROM.
http://en.wikipedia.org/wiki/Apollo_Guidance_Computer
.
- References:
- Re: Securing an Ad Hoc Network
- From: Steve Winograd [MVP]
- Re: Securing an Ad Hoc Network
- From: Lem
- Re: Securing an Ad Hoc Network
- From: Steve Winograd [MVP]
- Re: Securing an Ad Hoc Network
- Prev by Date: Re: YouTube plays trick on me?
- Next by Date: Re: can't access my cmputer in the network group.
- Previous by thread: Re: Securing an Ad Hoc Network
- Next by thread: Debug process for "you may not have access rights...."
- Index(es):
Relevant Pages
|
